Re: ISA2000 Nat Traversal

  • From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Sat, 24 Aug 2002 18:23:29 +0200

Hi Andrew,

ISA does support NAT Traversal passthrough. If the VPN gateway and client
supports the IETF drafts for IPSec NAT Traversal, the IPSec packets are
encapsulated in UDP packets. So, it should be obvious that they can be
passed through ISA.

However, ISA can at this moment not be a VPN gateway (endpoint) in a NAT
Traversal scenario. The reason is that the VPN functionality in ISA uses the
W2K RRAS functions and RRAS doesn't support yet the NAT Traversal drafts.

HTH,
Stefaan

-----Original Message-----
From: Andrew Prince [mailto:Andrew@xxxxxxxxxxxxxxxxxxx]
Sent: zaterdag 24 augustus 2002 18:07
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA2000 Nat Traversal


http://www.ISAserver.org


Jim,

Thanks for the reply - I am however confused.  PPTP does not need NAT
traversal as there is no enryption with the packet payload, therefore the
packet can be modified without any deivces interpreting that as the loss of
data integraty.

With IPsec L2TP the problem involves ensuring packet integrity. When a
packet passes through a NAT device, the original IP address is modified.
This is cannot happen with IPsec, because any modification of the packet
will result in a failed integrity check and prevent the VPN tunnel from
being created.

Cheers,
Andy.

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: 24 August 2002 16:27
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA2000 Nat Traversal


http://www.ISAserver.org


Only for Windows 2000 PPTP.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
http://jalojash.org/isatools
Read the books!

----- Original Message -----
From: "Andrew Prince" <andrew@xxxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, August 24, 2002 7:15 AM
Subject: [isalist] ISA2000 Nat Traversal


http://www.ISAserver.org


Can anyone tell me if ISA2000 supports NAT Traversal?

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
andrew@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



Other related posts: